The market value of console hacks

March 10, 2013

In a previous article, I claimed that modern consoles can probably only be hacked by companies, or more generally by people who can invest a relevant amount of money into R&D, then expect a significant return on investment.

Some people contacted me to ask if this is why some hackers in the PSP/Vita/PS3 scene request donations for their work. After seeing a few similar questions in my mail box, I concluded that a clarification was needed: When I meant the people behind the hacks expect a return on investment, I did not mean the couple hundred bucks that a “donate” button would typically give a hobbyist hacker on the PSP scene. I meant thousands of dollars, possibly hundreds of thousands, actually.

In order to give precise replies to the people who contacted me, I looked for the answer to a simple question: what is the actual market value of a console exploit? In other words, if somebody found today an exploit for, say, the PS Vita, and contacted the right people, how much could that person sell it for? As you can guess, this is a very difficult thing to calculate. There are not so many data points, and they are all very fuzzy.

Zooming out: the Global Zero-day vulnerability market

There is more visible data outside of the console world: the price range of weaponized exploits covers a huge spectrum, but the recent pwn2own contest for example had prizes between $60’000 and $100’000 for exploits in the latest versions of major Browsers (Chrome, IE, Firefox, Safari).

As an anecdote, famous iPhone and PS3 Hacker Geohot scored $70’000 at Pwn2Own this year, for hacking Adobe Reader.

Interestingly, it seems nobody tried to actually get the prize for Safari on OSX, and some security researchers claim that such an exploit, most likely compatible with iOS, could probably sell up to $600’000 on the black market (people who complained about the “greediness” of the evasi0n team – who according to some people tried to make as much money as possible through donations and advertising as they released the latest iOs jailbreak – should put that number in perspective). That number is a bit random though, but an accepted “lowest value” for an iOS exploit on the black market seems to be around $250’000.

Looking at other sources, it is clear that zero day vulnerabilities are a profitable market. Numbers from a Forbes article claim that an exploit could sell anywhere between $5’000 and $250’000. That was a year ago, and the prices probably have increased since, in particular for an OS as popular as iOS.

(Forbes 2012)

Of course, there are lots of variations (Not to mention the fact that the nature of this business makes it difficult to have accurate estimates), not all exploits are the same. The amount of potential “targets” (number of users of the OS or piece of software), the rarity of exploits for a given platform, etc… need to be taken into account.

But what about gaming consoles exploits?

Zooming back in: consoles

Gaming consoles are a different story. A “buyer” for a console exploit would probably not try to hack the consoles’ users without them knowing, but instead try to monetize it by selling a downgrader, a Custom Firmware, or a modchip. It’s basically a “reversed” situation, where the users actually want the hack to happen (well, that’s similar to an iPhone jailbreak, but I am willing to bet that the people ready to pay $250’000 for an iOS exploit wouldn’t do it to work on a jailbreak)

I couldn’t find any public figures for the market of modchips, but one of the most recent examples I can think of was the PS3′s True Blue dongle.

I might share detailed numbers in another article, but I estimate that the group of people behind True Blue (and its clones) made somewhere between $500’000 and $1’000’000 of profit selling their dongles (this is pure profit after removing the resellers/affiliates margin, the dev’s share, operational costs and marketing costs. All included, I estimate the whole business around True Blue and its clones is somewhere between $2’000’000 and $5’000’000).

The “value” in the True Blue dongle wasn’t the dongle itself. It was the underlying exploits (not made by the people behind TrueBlue) that allowed it to run unsigned games, and the way the people working on True Blue managed to acquire such unsigned games when nobody else could.

There’s lots of speculation already, but given the margins involved, I pretend that if an exploit hadn’t been available already, the people behind True Blue would have easily paid $50’000 for one (I am talking of a fully working one here, not just a proof of concept), that is, 10% of their profit.

How much would a Vita hack cost?

How about the Vita then? Well, at this point of my research, there are already too many unknowns on many levels for me to come up with any estimation that I would be confident to be quoted with. But, assuming a situation similar to that of True Blue (some people have a way to monetize a potential exploit), and keeping in mind that the Vita, so far, has sold less than 5 million units (compared to 70 million PS3 sold), I would probably revise the numbers to something a bit under $10’000.

I keep mentioning a market that is worth millions of dollars with the True blue example (and I am assuming other modchips have a similar market), so why does it get as “low” as a few thousand bucks for a full vita exploit? Well, I think what people really pay for in this black market is more the pirated content, and less the way to enable it in the first place. In other words, I don’t think a large amount of people would “buy” a CFW (or an exploit) that doesn’t come with a way to play pirated games. This is why in my estimates, the “non paid” exploit for TrueBlue represents 10% of the profit, while their secret to acquire pirated games represents 90%.

Overall, with so few users for now, the Vita is probably not a good target for these companies… but I might be wrong, and I’m sure the modchip industry is already crunching numbers to see if it is worth “investing” in the Vita…

My point however remains the same: although it might not be as lucrative as browsers/OS vulnerabilities, the market of console modchips and game piracy around a single hack/modchip easily adds up to millions of dollars, and cannot be compared to the pocket money some hobbyist hackers get when they ask for a donation.